b'U.S. PATENT AND\nTRADEMARK OFFICE\nUSPTO Deployed Wireless\nCapability with Minimal\nConsideration for IT\nSecurity\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A\nFEBRUARY 1, 2013\n\n\n\nU.S. Department of Commerce\nOffice of Inspector General\nOffice of Audit and Evaluation\n\nFOR PUBLIC RELEASE\n\x0c                                                            UNITED STATES DEPARTMENT OF COMMERCE\n                                                            Office of Inspector General\n                                                            W ashingt on, D.C. 20230\n\n\n\nFebruary I , 20 I 3\n\nMEMORANDUM FOR:               David Kappes\n                              Under Secretary of Commerce for Intellectual Property and\n                              Director of the U.S. Patent and Trademark Office\n\n                             Teresa Stanek Rea\n                             Deputy Under Secretary of Commerce for Intellectual Property\n                             and Deputy Director of the USPTO\n\n\nFROM: \t                      Allen Crawley    ~~\n                             Assistant Inspector General for Systems Acquisition\n                             and IT Security\n\nSUBJECT: \t                   USPTO Deployed Wireless Capability with Minimal Consideration\n                             for IT Security\n                             Final Report No. OIG-13-0 14-A\n\n\nAttached is the final report of our audit of USPTO\'s Public and Enterprise Wireless LAN\n(PEWLAN) system, which we conducted to meet our obligations under the Federal Information\nSecurity Management Act.\n\nWe found that USPTO inappropriately connected PEWLAN to USPTO\'s operational\nenvironment and placed PEWLAN into operation without proper authorization.\n\nWe recommend that USPTO ensure that the system owners register all systems under\ndevelopment in Cyber Security Assessment and Management during the system\'s initiation\nphase and that USPTO rigorously applies its system development life cycle (SDLC) process and\nNIST\'s risk management framework to all system development projects. Further, we\nrecommend that system owners, information system security officers, technical leads, project\nmanagers, and program managers attend USPTO\'s SDLC role-based training course on a\nregular basis. Finally, we recommend that Cybersecurity Division representatives have a role in\ndeciding whether IT system development projects should transition to a subsequent phase in\nthe SDLC based on their assessment of the effectiveness of incorporating security into the\nprocess.\n\nWe are pleased that in response to our draft report, you concurred with our findings and\nrecommendations. We have summarized your response in the report and included the\nresponse as an appendix. We will post this report on OIG\'s website.\n\nIn accordance with Department Administrative Order 213-5 , please provide us w ith your\naction plan within 60 calendar days from the date of this memorandum. The plan should outline\nactions you propose to take to address each recommendation.\n\x0cWe appreciate the cooperation and courtesies extended to us by your staff during our audit.\nPlease direct any inquiries regarding this report to me at (202) 482-1855 and refer to the\nreport title in all correspondence.\n\nAttachment\n\ncc: \t   Simon Szykman, Chief Information Officer\n        john Owens, Chief Information Officer, USPTO\n        Rod Turk, Director, Office of Cyber Security, and Chief Information Security Officer\n        Welton Lloyd, Audit Liaison, USPTO\n        Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                           Report In Brief                                F E B R U AR Y 1 , 2 0 1 3\n\n\n\n\nBackground                              U.S. PATENT AND TRADEMARK OFFICE\nThe Public and Enterprise Wireless\nLAN (PEWLAN) system provides\n                                        USPTO Deployed Wireless Capability with Minimal\nwireless access on USPTO\xe2\x80\x99s Alexan-      Consideration for IT Security\ndria, Virginia, campus. PEWLAN\nprovides USPTO employees and            OIG-13-014-A\ncontractors access to internal\nUSPTO systems and information as if     WHAT WE FOUND\nthey were using a wired connection\nto perform their work, which can        PEWLAN was inappropriately connected to USPTO\xe2\x80\x99s operational environment. In April\ninclude financial and patent applica-   2012, USPTO first connected PEWLAN to its operational environment. Over\ntion information.                       the next 3 months, PEWLAN remained connected intermittently to USPTO\xe2\x80\x99s\n                                        operational environment. However, before connecting PEWLAN, USPTO did\nWhen we began our audit on June\n                                        not identify, implement, and document security controls required to protect the\n27, 2012, USPTO insisted that PEW-\nLAN was under development and           system. As a result, USPTO was unable to assess appropriate security controls,\nwas not operational and requested       which is a critical step to understanding the security risks when introducing a\nthat we wait until 2013 to review the   new system into an operational environment. Thus, USPTO put its critical\nsystem. However, we independently       operational systems at risk.\nverified that USPTO had connected\nPEWLAN to its operational environ-      PEWLAN was placed into operation without proper authorization. USPTO placed\nment.                                   PEWLAN into operation in early June 2012 and made the system available to\n                                        users without having the required authorization to operate the system. USPTO\nWhy We Did This Review                  granted an interim authorization to test (IATT) for PEWLAN based solely on the\n                                        risks identified in penetration test reports and without assurance that security\nWe evaluated PEWLAN as part of\n                                        controls were properly implemented. Furthermore, USPTO should have issued\nour FY 2012 Federal Information\nSecurity Management Act of 2002         an IATT before conducting penetration testing.\n(FISMA) audit.\n                                        WHAT WE RECOMMEND\nOur objective was to assess the ef-\nfectiveness of USPTO\xe2\x80\x99s IT security      We make the following recommendations to the Under Secretary of Commerce\nprogram by determining whether          for Intellectual Property and Director of the U.S. Patent and Trademark Office:\nkey security measures adequately\nprotect its systems and its infor-      1. \t Ensure that system owners register all systems under development in Cyber\nmation. To do so, we assessed securi-        Security Assessment and Management during the initiation phase of the\nty measures USPTO employed during            SDLC.\ndevelopment of its PEWLAN system.\n                                        2. \t Ensure that USPTO rigorously applies its SDLC process and the RMF to all\n                                            IT system development projects. This should include ensuring that required\n                                            system security documents are appropriately developed and updated and\n                                            that security controls required to protect a system are implemented and\n                                            assessed.\n                                        3. \t Ensure that system owners, information system security officers, technical\n                                            leads, project managers, and program managers attend the SDLC role-based\n                                            training course regularly.\n                                        4. \t Ensure that the Cybersecurity Division representatives have a role in\n                                            deciding whether IT system development projects should transition to a\n                                            subsequent phase in the SDLC, based on their assessment of the\n                                            effectiveness of incorporating security into the process.\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                                         OFFICE OF INSPECTOR GENERAL\n\nContents\n\nIntroduction .......................................................................................................................................................1\n\nBackground ........................................................................................................................................................3\n\nFindings and Recommendations ....................................................................................................................5\n\n   I.      PEWLAN Was Inappropriately Connected to USPTO\xe2\x80\x99s Operational Environment ...........5\n\n   II.     PEWLAN Was Placed into Operation Without Proper Authorization ..................................6\n\n   Conclusion .....................................................................................................................................................6\n\n   Recommendations ...........................................................................................................................................8\n\nSummary of Agency Response and OIG Comments ................................................................................9\n\nAppendix A: Objectives, Scope, and Methodology ................................................................................ 10\n\nAppendix B: Agency Response ................................................................................................................... 12\n\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A\n\x0cU.S. DEPARTMENT OF COMMERCE                                           OFFICE OF INSPECTOR GENERAL\n\nIntroduction\n\nThe U.S. Patent and Trademark Office (USPTO) fosters innovation, competitiveness, and\neconomic growth through quality and timely examinations of patent and trademark applications.\nPatent operations, which account for the vast majority of USPTO\xe2\x80\x99s staffing and monetary\nresources, determine whether inventions claimed in patent applications are new, useful, and\nnon-obvious. The timely granting of quality patents provides inventors with exclusive rights to\ntheir discoveries and contributes to the strength and vitality of the U.S. economy.\nAs part of our FY 2012 Federal Information Security Management Act (FISMA) audit, we\nevaluated USPTO\xe2\x80\x99s Public and Enterprise Wireless LAN (PEWLAN) system, which provides\nwireless access on USPTO\xe2\x80\x99s Alexandria, Virginia, campus. PEWLAN provides USPTO\nemployees and contractors access to internal USPTO systems and information as if they were\nusing a wired connection to perform their work, which can include accessing financial and\npatent application information. It also provides Internet access to authorized USPTO visitors\nand guests using their own devices, such as laptops, tablets, and smartphones.\nWhen we began our audit on June 27, 2012, USPTO insisted that PEWLAN was under\ndevelopment and was not operational and requested that we wait until 2013 to review this\nsystem. However, we independently verified that USPTO had connected PEWLAN to its\noperational environment (e.g., production systems and critical information). In addition, in late\nJune 2012, USPTO posted documents on its chief information officer\xe2\x80\x99s (CIO\xe2\x80\x99s) intranet, which\ninformed employees and contractors that the new wireless capabilities were available and\ndescribed how to use them.\n\nUSPTO first connected PEWLAN to its operational environment starting in April 2012 to allow\na contractor to perform penetration testing. Three reports issued by the contractor identified\nsignificant security weaknesses and vulnerabilities. However, before completely remediating\nthese weaknesses and vulnerabilities, USPTO placed PEWLAN into operation on June 11, 2012.\n\nWe determined that USPTO placed PEWLAN into operation despite serious security\nweaknesses and significant vulnerabilities and had not implemented the required security\ncontrols and conducted proper control assessment as defined by FISMA. As a result, on August\n7, 2012, we issued a memorandum to the Under Secretary of Commerce for Intellectual\nProperty and Director of the U.S. Patent and Trademark Office, stating that the current\nsecurity posture of PEWLAN presented significant and undue risks to USPTO\xe2\x80\x99s operational\nsystems and information and recommending that USPTO immediately disconnect PEWLAN\nfrom USPTO\xe2\x80\x99s operational environment. Our memorandum also informed USPTO that we\nwould be issuing an audit report containing additional recommendations. The Under Secretary\nresponded via e-mail that same day, noting that USPTO had disconnected PEWLAN.\n\nOn September 19, 2012, USPTO\xe2\x80\x99s CIO issued a memorandum acknowledging that USPTO did\nnot fully comply with its system development life cycle (SDLC) process\xe2\x80\x94which places a priority\non security participation and authorization\xe2\x80\x94during development of PEWLAN.\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                   1\n\x0cU.S. DEPARTMENT OF COMMERCE                                                    OFFICE OF INSPECTOR GENERAL\nIn addition, USPTO initiated PEWLAN as a project in June 2011; however, it did not identify\n(register 1) PEWLAN as a system under development in the Department\xe2\x80\x99s information system\ninventory maintained in the Cyber Security Assessment and Management (CSAM) tool. USPTO\ndid not register PEWLAN as a system under development until July 6, 2012\xe2\x80\x9413 months after\nUSPTO began development and 9 days after we began our fieldwork.\n\nTable 1 contains a timeline of USPTO\xe2\x80\x99s development and our audit of PEWLAN. We reviewed\nthe security measures USPTO employed during development of PEWLAN. See appendix A for\ndetails regarding our objectives, scope, and methodology.\n\n     Table 1. Timeline for PEWLAN Development and Audit\n       Date                       Event\n       June 2011                  USPTO initiated PEWLAN project.\n                                  USPTO connected PEWLAN to its operational\n       April 2012                 environment for penetration testing by contractor.\n                                  USPTO placed PEWLAN into operation with no\n       June 11, 2012              authorization to operate.\n                                  OIG held audit kickoff meeting\xe2\x80\x93USPTO denied wireless was\n       June 27, 2012              operational.\n       June 29, 2012              OIG confirmed PEWLAN was operational.\n       June 29, 2012              USPTO issued interim authorization to test for PEWLAN.\n                                  USPTO registered PEWLAN as a system under\n                                  development in Cyber Security Assessment and\n       July 6, 2012               Management.\n                                  OIG issued memo to the Director, USPTO, recommending\n       August 7, 2012             USPTO disconnect PEWLAN.\n       August 7, 2012             USPTO disconnected PEWLAN.\n       August 15, 2012            USPTO issued an authorization to operate for PEWLAN.\n       August 22, 2012            USPTO reconnected PEWLAN.\n       September 19, 2012         USPTO\xe2\x80\x99s CIO responded to OIG\xe2\x80\x99s August 7 memorandum.\n     Source: OIG analysis\n\n\n\n\n1\n  Step 1 of the risk management framework described in NIST SP 800-37 requires the system owner to \xe2\x80\x9cRegister\nthe information system with appropriate organizational program/management offices,\xe2\x80\x9d which identifies the system\nin the system inventory.\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                                2\n\x0cU.S. DEPARTMENT OF COMMERCE                                                     OFFICE OF INSPECTOR GENERAL\n\nBackground\n\nUSPTO\xe2\x80\x99s Office of the Chief Information Officer has developed an SDLC process, which\nincludes measures to incorporate IT security early in a system\xe2\x80\x99s life cycle. The process intends\nto ensure that the system is secure and conforms to USPTO and federal IT security standards\nand guidelines. The National Institute of Standards and Technology (NIST) has developed a risk\nmanagement framework (RMF) 2 for ensuring integration of appropriate IT security\nrequirements into an organization\xe2\x80\x99s enterprise architecture and SDLC process. The goals of\nUSPTO\xe2\x80\x99s SDLC are compatible with NIST\xe2\x80\x99s RMF. The RMF includes guidance for developing\nsystem security plans, conducting security control assessments, and authorizing systems to\noperate during all phases of a system\xe2\x80\x99s life cycle.\n\nSystem Security Plans\n\nThe RMF assigns the system owner responsibility for developing and maintaining the system\nsecurity plan. The system security plan provides an overview of security requirements and\ndescribes the controls in place or planned for meeting those requirements. The plan also\ndescribes implementation details for security controls and thus serves as a basis for assessing\ncontrol effectiveness. The plan further serves as the vehicle for documenting the structured\nprocess of planning adequate, cost-effective security protection for a system. System security\nplans are living documents that require periodic review and modification to reflect the status of\nthe system during the development life cycle. The authorizing official is responsible for\napproving system security plans.\n\nSecurity Control Assessments\n\nThe RMF also includes guidance for conducting security control assessments throughout the\nSDLC and recommends conducting them as early as practicable. The purpose of the\nassessments is to ensure that the security controls, as described in the system security plan, are\noperating as intended. Therefore, the security plan must document security controls as\naccurately as possible. The RMF further requires documenting assessment results in a security\nassessment report, used by the authorizing official to make a risk-based decision about the\nappropriate authorization status of a system, and documenting security weaknesses in plans of\naction and milestones (POA&Ms).\n\nSecurity Authorization\n\nThe RMF describes the process of granting or denying authorization for an information system\nto operate based on a determination of risks to organizational operations and assets,\nindividuals, other organizations, and the nation resulting from the operation of the system. The\nauthorizing official uses the system security plan, security assessment report, and POA&M\xe2\x80\x94\n2\n NIST outlined a six-step process to manage risks throughout an information system\xe2\x80\x99s life cycle. Federal agencies\nhave been required to follow the process for new system development since February 2010. NIST, February 2010.\nGuide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-37. Gaithersburg,\nMD: NIST.\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                                 3\n\x0cU.S. DEPARTMENT OF COMMERCE                                           OFFICE OF INSPECTOR GENERAL\ncollectively referred to as the security authorization package\xe2\x80\x94along with other available\ndocuments, such as a risk assessment report, to determine risks associated with operating the\nsystem and the acceptability of these risks. If the risks are acceptable, the authorizing official\nissues an authorization to operate for a specified period under certain terms and conditions.\n\nThe RMF also includes an interim authorization to test (IATT)\xe2\x80\x94a special type of authorization\ndecision allowing an information system to operate in an operational environment in order to\ntest the system with actual operational (i.e., live) data for a specified period. The authorizing\nofficial grants an IATT only when the operational environment or live data are required to\ncomplete specific test objectives. The IATT allows organizations to assess functional and\nsecurity requirements within a system\xe2\x80\x99s intended environment during development.\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                    4\n\x0cU.S. DEPARTMENT OF COMMERCE                                         OFFICE OF INSPECTOR GENERAL\n\nFindings and Recommendations\n\n  I.\t   PEWLAN Was Inappropriately Connected to USPTO\xe2\x80\x99s Operational\n        Environment\n\n    In April 2012, 10 months after initiating the PEWLAN project, USPTO first connected\n    PEWLAN to its operational environment to conduct penetration tests, which identified\n    serious security weaknesses in the system\xe2\x80\x99s architecture and security controls. Over the\n    next 3 months, PEWLAN remained connected intermittently to USPTO\xe2\x80\x99s operational\n    environment. However, before connecting PEWLAN to the operational environment,\n    USPTO did not identify, implement, and document security controls required to protect\n    the system. As a result, USPTO was unable to assess appropriate security controls, which is\n    a critical step to understanding the security risks when introducing a new system into an\n    operational environment. Thus, USPTO put its critical operational systems at risk while\n    conducting penetration tests, remediating weaknesses, and implementing architectural\n    changes associated with PEWLAN.\n\n    While the penetration testing provided some visibility of the security risks associated with\n    PEWLAN, it is only part of the security control assessments required by the RMF. It does\n    not constitute a full assessment of security control implementations, nor does it convey all\n    risks to USPTO\xe2\x80\x99s operational environment. Nonetheless, the tests did identify the following\n    risks, which most concerned us:\n\n             1.\t Internal infrastructure components were visible to public users.\n             2.\t Authentication of users did not function as intended.\n             3.\t Credentials used to log on to USPTO systems were vulnerable on the public\n                 portion of PEWLAN.\n             4.\t The wireless intrusion prevention system did not appropriately detect and\n                 provide alerts for security events.\n\n    As a result, the penetration testing itself, by directly connecting PEWLAN to the\n\n    operational environment, increased the risk of compromise due to the presence of these \n\n    vulnerabilities. \n\n\n    In addition, before performing these penetration tests, USPTO should have selected and\n    implemented the appropriate required set of security controls and described their\n    implementation in a system security plan, which serves as a foundation for conducting\n    security control assessments and documenting risk throughout a system\xe2\x80\x99s life cycle.\n    However, USPTO made little progress toward identifying security requirements, developing\n    the system security plan, or conducting control assessments in the 10 months following\n    PEWLAN\xe2\x80\x99s initiation. Without a fully developed system security plan and adequate security\n    control assessments, USPTO did not have an accurate perspective of associated risks to\n    support its decision to put PEWLAN into its operational environment. In fact, when\n    penetration testing started, an internal preliminary risk assessment report issued by\n    USPTO\xe2\x80\x99s Cybersecurity Division, on April 17, 2012, indicated that \xe2\x80\x9cthere is no documentation\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                 5\n\x0cU.S. DEPARTMENT OF COMMERCE                                                      OFFICE OF INSPECTOR GENERAL\n          available associated to PEWLAN.\xe2\x80\xa6Therefore the current security features and posture are\n\n          unknown to internal stakeholders.\xe2\x80\x9d\n\n\n    II.      PEWLAN Was Placed into Operation Without Proper Authorization\n\n          USPTO placed PEWLAN into operation in early June 2012 and thus made the system\n          available to users without having the required authorization to operate the system 3. On\n          June 29, 2012\xe2\x80\x942 days after our audit kickoff meeting\xe2\x80\x94USPTO\xe2\x80\x99s CIO issued an IATT for\n          PEWLAN with an expiration date of September 29, 2012.\n\n          However, USPTO granted the IATT for PEWLAN based solely on the risks identified in the\n          penetration test reports and without assurance that security controls were properly\n          implemented. Furthermore, USPTO should have issued an IATT before conducting the\n          penetration testing in April 2012.\n\n          Although the IATT identified the need to remediate vulnerabilities discovered during\n          penetration testing and to finalize documentation for the system, it did not address key\n          elements to support the authorization decision. For example, the IATT did not identify\n          specific test objectives and did not specifically identify the need to conduct security control\n          assessments and develop a complete security authorization package before expiration of the\n          IATT. When USPTO issued the IATT, the only system security plan that existed was a\n          preliminary draft, which did not include implementation descriptions for security controls\n          and did not allocate them to PEWLAN system components. Without fully addressing these\n          key elements, USPTO could not realistically determine risks associated with operating\n          PEWLAN during the IATT.\n\nConclusion\n\n          We found that USPTO did not develop appropriate security documents, perform security\n          control assessments, or assess risks before conducting penetration testing or beginning\n          deployment of PEWLAN.\n          According to USPTO\xe2\x80\x99s SDLC process, persons with system development roles (e.g., project\n          managers, system owners, and technical leads) are responsible for coordinating with\n          representatives from the Cybersecurity Division to ensure that security-related documents\n          are developed and updated and that appropriate authorization actions, including control\n          assessments, are completed throughout a system\xe2\x80\x99s life cycle. We found that security\n          missteps during PEWLAN\xe2\x80\x99s development occurred largely because this coordination was\n          ineffective. Furthermore, based on interviews with USPTO officials and our analysis,\n          pressure from an aggressive project schedule likely contributed to lapses in following the\n          SDLC process.\n\n3\n Security control CA-6, Security Authorization, specifies that the organization should ensure that the authorizing\nofficial authorizes the information system for processing before commencing operations. NIST, August 2009.\nRecommended Security Controls for Federal Information Systems and Organizations, NIST SP 800-53. Gaithersburg, MD:\nNIST.\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                                  6\n\x0cU.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n    To promote an understanding of the relationship between USPTO\xe2\x80\x99s SDLC process and the\n    RMF and to improve group coordination during system development, USPTO recently\n    implemented an SDLC role-based training course for information system security officers,\n    system owners, technical leads, project managers, and program managers. The course maps\n    the phases of USPTO\xe2\x80\x99s SDLC to the general life cycle referred to in descriptions of NIST\xe2\x80\x99s\n    RMF and identifies security documents and the roles associated with their production\n    during the various SDLC phases. Specifically, it reinforces the role of facilitation points of\n    contact, who are representatives from the Cybersecurity Division tasked with assisting\n    system owners, information system security officers, and technical leads in developing and\n    maintaining system security documentation, updating and maintaining security information in\n    system design documents, and implementing continuous monitoring.\n\n    Institutionalizing the SDLC role-based training course should significantly increase the\n    likelihood of appropriately incorporating security into USPTO\xe2\x80\x99s SDLC. Furthermore,\n    USPTO has indicated that because of our audit, it has started implementing a procedure\n    where the Cybersecurity Division representatives have a role in deciding whether IT system\n    development projects should transition to a subsequent phase in the SDLC based on their\n    assessment of the effectiveness of incorporating security into the process.\n\n    Since issuing the IATT on June 29, 2012, USPTO has developed system design documents\n    and an approved system security plan, developed procedures for assessing security controls,\n    and conducted security control assessments for PEWLAN. On August 15, 2012, USPTO\xe2\x80\x99s\n    CIO issued an authorization to operate for PEWLAN based on his review of a complete\n    security authorization package. Our review of the authorization package noted several\n    issues in the system\xe2\x80\x99s POA&M\xe2\x80\x94most notably, excessive remediation times for several\n    critical controls and inappropriate prioritization of a POA&M item related to account\n    management. We discussed these issues with USPTO security officials, who addressed our\n    concerns.\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                  7\n\x0cU.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\nRecommendations\n\nTo help ensure that USPTO appropriately considers IT security in future IT system\ndevelopment efforts, we make the following recommendations to the Under Secretary of\nCommerce for Intellectual Property and Director of the United States Patent and Trademark\nOffice:\n    1.\t Ensure that system owners register all systems under development in Cyber Security\n        Assessment and Management during the initiation phase of the SDLC.\n\n    2.\t Ensure that USPTO rigorously applies its SDLC process and the RMF to all IT system\n        development projects. This should include ensuring that required system security\n        documents are appropriately developed and updated and that security controls required\n        to protect a system are implemented and assessed.\n\n    3.\t Ensure that system owners, information system security officers, technical leads, project\n        managers, and program managers attend the SDLC role-based training course on a\n        regular basis.\n\n    4.\t Ensure that the Cybersecurity Division representatives have a role in deciding whether\n        IT system development projects should transition to a subsequent phase in the SDLC\n        based on their assessment of the effectiveness of incorporating security into the\n        process.\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                 8\n\x0cU.S. DEPARTMENT OF COMMERCE                                       OFFICE OF INSPECTOR GENERAL\n\nSummary of Agency Response and\nOIG Comments\nIn response to our draft report, USPTO concurred with our findings and recommendations. In\naddition, USPTO indicated that it has remediated many of the issues related to our findings.\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                             9\n\x0cU.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\nAppendix A: Objectives, Scope, and\nMethodology\nOur objective was to assess the effectiveness of USPTO\xe2\x80\x99s IT security program by determining\nwhether key security measures adequately protect its systems and its information. To do so,\nwe assessed security measures USPTO employed during development of its recently deployed\nPublic and Enterprise Wireless LAN (PEWLAN) system by\n    \xe2\x80\xa2\t reviewing system-related documents, including project development documentation,\n       policy and procedures, planning documents, security assessment documents, and other\n       material supporting the development of PEWLAN and\n\n    \xe2\x80\xa2\t interviewing USPTO IT security personnel.\n\nWe reviewed USPTO\xe2\x80\x99s compliance with the following applicable provisions of law, regulations,\nand mandatory guidance:\n\n    \xe2\x80\xa2\t the Federal Information Security Management Act of 2002\n\n    \xe2\x80\xa2\t IT Security Program Policy and Minimum Implementation Standards, U.S. Department of\n       Commerce, introduced by the Chief Information Officer on March 9, 2009, and\n       applicable Commerce Information Technology Requirements\n\n    \xe2\x80\xa2\t NIST Federal Information Processing Standards publications:\n\n             o\t 199, Standards for Security Categorization of Federal Information and\n                Information Systems\n\n             o\t 200, Minimum Security Requirements for Federal Information and Information\n                Systems\n\n    \xe2\x80\xa2\t NIST Special Publications:\n\n             o\t 800-18, Guide for Developing Security Plans for Information Technology Systems\n\n             o\t 800-37, Guide for Applying the Risk Management Framework to Federal\n                Information Systems\n\n             o\t 800-53, Recommended Security Controls for Federal Information Systems and\n                Organizations\n\n             o\t 800-53A, Guide for Assessing the Security Controls in Federal Information\n                Systems\n\n             o\t 800-60, Guide for Mapping Types of Information and Information Systems to\n                Security Categories, Volumes I and II\n\n\nFINAL REPORT NO. OIG-13-014-A                                                               10\n\x0cU.S. DEPARTMENT OF COMMERCE                                        OFFICE OF INSPECTOR GENERAL\n             o 800-70, Security Configuration Checklists Program for IT Products\n\n             o 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our fieldwork from June to October 2012. We performed this audit under the\nauthority of the Inspector General Act of 1978, as amended, and Department Organization\nOrder 10-13, dated August 31, 2006. We conducted this audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objectives. We believe that the evidence obtained provides\na reasonable basis for our findings and conclusions.\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                              11\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                         OFFICE OF INSPECTOR GENERAL\n\nAppendix B: Agency Response\n\n\n                                 UNITED Sl\'ATES PATENT AND TRADEMARK OFFICE\n                                                        CHIEr FINANCIAL OrfiCER\n\n\n\n\n                                                                                            JAN I 8 2013\n\n\n\n\n             MEMORANDUM FOR:               AJJen Crawley\n                                           Assistant Inspec tor General for System A~ uisition and IT\n                                           Security, Office of Inspector General\n\n             FROM:                          Anthony P. Scardino        a\n                                                                     ....J,... ~\n                                            Chief Financial Officer ,...... J\n                                                                                   z~\n\n             SUBJECT:                      Response to Draft Report "USPTO Deployed Wireless Capability\n                                           with Minimal ConsideraJionfor IT Security\'" (December 2012)\n\n\n             Thank you for your draft report dated December 14, 2012, detailing your findings and\n             recommendations. We appreciate the effort your staff has made in evaluating the effectiveness\n             of our PEWLAN Information System. We have carefully considered and concur with the\n             recommendations made in the subject draft report. The United States Patent and Trademark\n             Office (USPTO) provides the following attachment as our response to the audit report findings.\n\n             Again, we thank the Assistant Inspector General for System Acquisition and IT Security for the\n             report. We intend to meet the recommendations in a diligent manner, and we will gratefully\n             accept suggestions as we move forward to ensure that an effective security program is in place\n             that will enable us to securely maintain systems in support of the USPTO.\n\n\n\n             Attachment\n\n\n\n\n                                     P.O. Box 1450, Alexandria, Virginia 22313-1450 - WMYUSPTOGOV\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                                             12\n\x0cU.S. DEPARTMENT OF COMMERCE                                                          OFFICE OF INSPECTOR GENERAL\n\n\n         USPTO Cyber Security\'s Response to FY 2012 FJSMA Assessment of tbe P ublic and\n         En terprise Wireless LAN <PEWLAN) (PTOI-014-00), Draft Report December 2012\n\n         OIG F inding:\n\n         1. PEWLAN was inappropriately connected to USPTO \'s operational environment.\n\n             \xe2\x80\xa2   USPTO connected PEWLAN to its operational environment to conduct penerration lests,\n                 which idenlified serious security weaknesses in the system \'s architecture and security\n                 controls. PEWLAN remained intermittently connected to the USPTO operational\n                 environment o ver the neJ.t three monthsjiJflowiflg rite completion ofthe p~rcetruliun\n                 testing.\n\n             \xe2\x80\xa2   USPTO did not identify, implement, and document security controls required lO\n                 protect the system prior to connecting PEWLA.N to the operational environment. As a\n                 result, the USPTO was unable to assess appropriate security controls leaving critical\n                 operational systems at risks while conducting penetration tests, remediating weaknesses,\n                 and implementing architectural changes associated with PEWLAN.\n\n             \xe2\x80\xa2   The penetration tests performed do not constitute a full assessment ofsecurity control\n                 implementations nor does it convey all risks to USPTO \'s operational environment.\n\n             \xe2\x80\xa2   Penetration tests revealed that by directly connecting PEWLAN to the operational\n                 environment, risks were increased due to the presence of the following vulnerabilities:\n\n                        \xe2\x80\xa2     internal infrasrructure componenls were visible to public users\n                        \xe2\x80\xa2     Authentication of users did not function as intended\n                        ..    Credentials used to log on to USPTO systems were vulnerable on the public\n                              portion of PEWLAN\n                              The wireless inlrusion prevention system did not appropriately detect and\n                              provide a/ens .for securily evenls\n\n             \xe2\x80\xa2   USPTO did not have an accurate perspective ofassocialed risks to support ils decision to\n                 put PEWLAN into its operational environment due to the fact that the appropriate\n                 security controls were not selected and implemented In addition., a system security plan\n                 was not in place in the following ten months since the PEWLAN project was initiated.\n\n         USPTO Response:\n\n         USPTO agrees with this finding. The following actions were taken to address the concerns\n         above:\n\n                    \xe2\x80\xa2       A System Security Plan (SSP) was created for PEWLAN and was final ized on\n                            August 15, 2012. The SSP addressed the implementation and planned\n                            implementation of all security controls within NIST Special Publication 800-53\n                            Revision 3.\n\n\n                                                      Pagel of l 2\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                                13\n\x0cU.S. DEPARTMENT OF COMMERCE                                                     OFFICE OF INSPECTOR GENERAL\n\n\n                  \xe2\x80\xa2   Full assessments of the appl icable security controls for PEWLAN were completed\n                      in accordance with NIST SP 800-37 Revision 1 and NIST SP 800-53A.\n\n                  \xe2\x80\xa2   Vulnerability scans were performed on all PEWLAN devices. An analysis was\n                      performed on the scan results to ensure that there were no major vulnerabilities\n                      and Lhat the latest applicable patches were installed. The analysis was provided to\n                      the assessment team to use as artifact evidence.\n\n                  \xe2\x80\xa2   Plan of Action & Milestones (POA&M) were created in the Cyber Security\n                      Assessment & Management (CSAM) tool tor all planned controls. The following\n                      are POA&Ms that were created pre and post assessment:\n\n                         o CM-2, CM-2( 1), CM-2(3) Baseline Configuration\n\n                         o CM-6 Configuration Settings\n\n                         o CM-7, CM-7(1) Least Functionality\n\n                         o      MA-2 Controlled Maintenance\n\n                         o MA-6 Timely Maintenance\n\n                         o SI-2 Flaw Remediation\n\n                         o      AC-2, AC-2(1 ), AC-2(2), AC-2(3), AC-2(4) Account Management\n\n                         o AC-6, AC-6(1 ) Least Privilege\n\n                         o AU-2, AU-2(3) Auditable Events\n\n                         o IA-2, IA-2(1), IA-2(2), IA-2(3) Identification and Authentication\n\n                         o AC-8 System Use Notification\n\n                         o RA-5 Vulnerability Scanning\n\n                  \xe2\x80\xa2   All of the POA&Ms created for PEWLAN have been addressed, remediated and\n                      closed as shown in the table below.\n\n                  \xe2\x80\xa2   The issue which allowed internal infrastructure components to be visible to public\n                      users has been remediated by recon:figuring the Perimeter Firewalls to adequately\n                      block discovery scans.\n\n\n\n\n                                                 Page 3 of 12\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                               14\n\x0cU.S. DEPARTMENT OF COMMERCE                                                       OFFICE OF INSPECTOR GENERAL\n\n\n                 \xe2\x80\xa2   The issues with weaknesses to public wireless authentication using USPTO\n                     credentials have been resolved. The Entrust certificate authority has been\n                     incorporated into the authentication process to adequately verify a user.\n\n                 \xe2\x80\xa2   The issue pertaining to d etection and security alerts for the Wireless Intrusion\n                     Protection System (WIPS) has been resolved. Security alerts are now being\n                     produced and recorded for PEWLAN as intended.\n\n                 \xe2\x80\xa2   The PEWLAN assessment yielded a Risk Assessment Report (RAR) justifying a\n                     determination for granting an "Authority to Operate" for the system was based on\n                     the risk analysis within the report. The risks were mapped to the appropriate\n                     NlST security controls and were acknowledged by the authorizing official.\n\n\n\n\n                                                 .Page 4 of 12\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                            15\n\x0cU.S. DEPARTMENT OF COMMERCE                                                       OFFICE OF INSPECTOR GENERAL\n\n       OIG Finding:\n\n       2. PEWLAN was placed into operation without proper authorization.\n\n               \xe2\x80\xa2   USPTO granted an Interim Authority to Test (fAIT) for PEWLAN based solely on the\n                   risks identified in the penetration test reports and without assurance that security\n                   conlrols were properly implemented. In addition, the fAIT was gran!ed after the\n                   system was in operation.\n\n               \xe2\x80\xa2   The IAIT identified the need to remediate vulnerabilities discovered during\n                   penetratiOn testmg and to finalize documentatiOn for the system. However, the IATT\n                   did not address key elements to Slpport the authorization decision..\n\n                   o The fAIT did not identifY specific test objectives, the need for security control\n                       assessments, and a plan to develop a complete security authorization package\n                       before the expircuion of the fAIT.\n\n                   o The only system security plan that existed at the time the !A TT was issued was a\n                     preliminary draft, which did not include implementation descriptions for security\n                     controls and did not allocate them to PEWLAN system components.\n\n\n       USPTO Response:\n\n       USPTO agrees with this finding. The follo\\ving actions have been taken to address the issues\n       above:\n\n                   \xe2\x80\xa2   A full assessment was performed on PEWLAN in which any security controls that\n                       were not implemented or working as intended, were deemed as risks to the\n                       USPTO. The vulnerabilities were identified within the Security Assessment\n                       Report (SAR) and the risks associated with the vulnerabilities were documented\n                       within the Risk Assessment Report (RAR).\n\n                   \xe2\x80\xa2   A Plan of Actions & Milestones was created for the risks identified in the RAR in\n                       order to adequately track and monitor them in accordance "\'~th US PTO policy.\n\n                   \xe2\x80\xa2   In additio11; the lAIT template has been revised to ensure future systems seeking\n                       approval to test in a production environment arc required to identify the\n                       following:\n\n                          o     identify specific test objectives\n\n                          o     Risk associated to security controls\n\n                          o     Compensating security controls\n\n\n\n                                                     Page 5 of12\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                              16\n\x0cU.S. DEPARTMENT OF COMMERCE                                                    OFFICE OF INSPECTOR GENERAL\n\n\n                        o   Required remedial action per formed in conjunction with testing\n\n                 \xe2\x80\xa2   The PEWLAI\'J\' System Security P lan was finalized and approved by the System\n                     Owner (SO), Technical Lead (fL), Senior Information Security Officer (SJSO)\n                     and the Authorizing Official (AO) on A ugust 15, 2012.\n\n\n\n\n                                               Page6of12\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                                                                        17\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                         18\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                         19\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                         20\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                         21\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                         22\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\n011200000142\n\n\n\n\nFINAL REPORT NO. OIG-13-014-A                         23\n\x0c'